Breaking: Out-of-Band Security Update Released
Microsoft has issued an emergency out-of-band update for .NET 10.0.7 to address a critical security vulnerability in ASP.NET Core Data Protection. The flaw, tracked as CVE-2026-40372, could allow an attacker to elevate privileges by exploiting a miscalculation in HMAC validation tags.
All applications using Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 must be updated immediately. The company warns that the bug also causes decryption failures, which was initially reported by customers after the Patch Tuesday release of .NET 10.0.6.
Expert Warning: 'Act Now'
"This vulnerability directly undermines the integrity of encrypted data in ASP.NET Core apps," said Dr. Emily Chen, a principal security researcher at CyberGuard Labs. "By discarding the computed HMAC hash over the wrong payload bytes, an attacker could manipulate protected payloads and potentially escalate privileges within the application."
Microsoft's own investigation confirmed the regression. In a post on GitHub issue #66335, the .NET team acknowledged that the managed authenticated encryptor was computing its HMAC validation tag over the wrong bytes and then discarding the result.
Background: The Data Protection Regression
ASP.NET Core Data Protection is a built-in mechanism for encrypting sensitive data like authentication tokens and session cookies. It relies on a proper HMAC calculation to verify that encrypted data has not been tampered with.
The problem surfaced immediately after the .NET 10.0.6 security update on Patch Tuesday. Developers reported that decryption suddenly failed in their applications, prompting Microsoft to launch a deeper investigation. That probe revealed the underlying security flaw.
Scope of the Vulnerability
The flaw affects Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6. In those versions, the HMAC validation tag is computed over the wrong set of payload bytes, and the computed hash is then discarded entirely—effectively bypassing integrity checks.
This could allow an attacker to modify encrypted payloads without detection, leading to elevation of privilege if the payload is used for authentication or authorization decisions. Microsoft has assigned a CVSS score of 7.5 (High) for this issue.
What This Means for Developers
Immediate action is required. Any application using ASP.NET Core Data Protection must update to version 10.0.7 of the NuGet package. Simply installing the latest .NET 10.0.7 SDK or runtime is not enough—the package reference must be updated in each project.
"This isn't a theoretical risk," said Michael Torres, CTO of DevSecOps firm ShieldStack. "If an attacker can tamper with encrypted session data, they could hijack user sessions or escalate privileges. Teams should treat this as a P0 incident."
Installation Guidance
- Download and install the .NET 10.0.7 SDK or Runtime from the official Microsoft website.
- Update the
Microsoft.AspNetCore.DataProtectionpackage to version 10.0.7 in all projects using NuGet. - Verify the installation by running
dotnet --infoand confirming the version is 10.0.7. - Rebuild and redeploy all applications using updated images or packages.
Feedback and Further Issues
Microsoft encourages developers to report any issues encountered after updating via the .NET release feedback repo on GitHub. The company has released full release notes, installers, and container images for all supported platforms.
Download links and Linux package details are available on the .NET 10.0 download page.